Threat Hunting: Eight Tactics to Accelerating Threat Hunting

One of the more significant headaches in cyber security is the overuse of buzzwords and acronyms and the overlapping mutations of what they mean. Cyber threat Hunting has become one of those phrases, but it has gained clarity over the last few years as organizations strived to become more proactive. So what is threat hunting? Depending on who you ask, you may get somewhat different answers to the same question. Cyber threat hunting is a proactive approach to detecting suspicious activity from known or unknown, remediated, or unaddressed cyber threats within an organization’s networks. It involves finding malware such as viruses, Trojans, adware, spyware, ransomware, worms, bots, and botnets. The goal is for security analysts to find these threats before they cause damage to systems and data. It’s similar to how fire departments respond to fires; they go into buildings to ensure no additional problems before calling the firefighters. There is a vast collection of tools, skill sets, approaches, and processes to help identify advanced threats that could happen within the network. What is an effective hunting process for one organization may be a waste of time for another, depending on each company’s understanding of what threats they might face. Man-hours spent hunting are typically most beneficial for large organizations targeted by the cybercriminal community regularly, but that’s not to say that regular hunts for small/medium-sized enterprises can’t benefit from and identify threats by doing the same. <h2>Structured Threat Hunting</h2> The structured hunt is based on indicators of compromise (IOCs) and tactics, techniques, and procedures (TTP). IOCs provide information about potential adversaries, such as IP addresses, domain names, operating system versions, etc. TTPs describe how attackers operate and what tools they use. Combining IOCs and TTPs makes it possible to build a picture of the adversary. This approach allows us to detect threats earlier and prevent attacks. In addition, we can quickly identify the threat actors because each activity is described in detail. <h2>Unstructured Threat Hunting</h2> The concept of unstructured hunting is relatively new. It wasn’t until 2013 that we began seeing the emergence of unstructured hunters. Unstructured hunting is a method of finding malicious software (malware), such as viruses, Trojans, worms, etc., without knowing exactly what type of malware you are looking for. Instead, the hunter relies on behavioral analysis to find these threats. In short, unstructured hunting is investigative work where a cyber threat hunter observes behavior and looks for anomalies. For example, if someone sends out spam emails, a system administrator might notice unusual activity on his network and investigate further. If he finds something suspicious, he could take action immediately or wait a few days to see if the same email addresses start sending again. <h2>Traditional Threat Hunting</h2> The traditional definition of threat hunting can be defined as a focused and intensive human/machine-assisted process aimed to identify the possibility of something malicious happening within the network or likely about to happen; this is based on abnormal network behavior, artifacts, or identification via active threat research. A good example of this would be: A large bank has team members whose part of their job is to consume threat reports related to activity targeting their vertical and other companies that match their Enterprise profile. > A new threat report is published from an intel provider describing a new variant of malware that has been catastrophic at similar organizations. This report would ideally contain information around the process tree, registry key, etc., to help the cyber threat hunters not just hunt for detection of the associated IOCs but dig deeper to identify patterns that match the behavior of the malware across the network, like abnormal PowerShell execution or account behavior to look for potential threats and other malicious activity. Essentially, one could assume that if other similar banks have already seen this, “we” are either currently being affected or are about to be. Threat-hunting teams can go on the hunt to confirm or deny that hypothesis. But that’s just one basic example. The “possibly malicious” aspect mentioned above can come from various hunting methods, which can all be “correct” in their own right, depending on the hidden threats, skills, and tools specific to an enterprise. These methods can be driven by the following: <ul> <li>Intelligence-led hunting (IOC, actor, TTP), as mentioned above</li> <li>Hunting for specific unpatched vulnerabilities and if they have been exploited</li> <li>Hunting based on abnormal account activity</li> <li>Hunting based on abnormal machine behavior (i.e., deviations from the network baseline)</li> <li>Identifying imminent threats based on keyword monitoring of Deep Web and Dark Web forum activity</li> </ul> One interesting thing about this topic is that when discussing it, you may hear something like, “Threat hunting is not detection/remediation, and detection/remediation is not threat hunting.” This is 100% accurate, but the two processes rub shoulders and complement each other to a certain degree. An example of this could be a high-priority detection from a known critical asset to a known APT IP (which could be provided by a third party, open-source, etc.). Now, of course, this a detection and not part of a Threat Hunt, but if that one asset is communicating to that IP, what else might that APT have been up to? This is where a Hunter could pivot into an Actor profile and gather/extract all additional information about their behaviors and additional infrastructure, such as TTP's, IOC's, etc., to execute a retrospective search within their SIEM/Endpoint tools to identify: a) what other machines might have been mapping to these behaviors; b) what other machines may have direct identification (associated IOC's); c) what known critical assets were involved; and d) how long this activity has been occurring in the network. <h2>SANS 2022 Threat Hunting Survey</h2> According to the SANS 2022 Threat Hunting Survey, 51% of respondents consider their threat hunting still maturing. Although threat hunting is not a pure tooling game, selecting appropriate tools significantly affects the quality of threat hunting. Essential components of an effective threat-hunting program include: <ul> <li>Qualified hunters</li> <li>Security solutions and tools to establish visibility</li> <li>Actionable threat intelligence</li> </ul> The survey found that classical security tools like SIEMs and EDRs again led the list this year, with 83% of respondents using them for threat hunting. Hunters need visibility into security systems that include the most available endpoints within an organization. That way, every covered endpoint acts as a sensor to limit the space available for an attacker to move around freely. Once threat-hunting teams have almost complete visibility into an organization, they must be able to perform real-time analysis to identify advanced threats. That’s when threat intelligence comes into play. <h2>Utilizing MITRE ATT&CK for Effective Threat Hunting</h2> Organizations are increasingly adopting threat hunting as part of their overall information assurance strategy. This requires a shift from reactive responses to attacks to a proactive approach where organizations actively monitor their environments and respond to suspicious activity. To achieve this, organizations must adopt a risk-based approach to threat hunting and ensure that their threat-hunting activities focus on areas of concern rather than being limited to reacting to incidents. The MITRE ATT&CK framework provides a structured process to help organizations understand how to identify and investigate potential threats using a structured approach to identifying potential attack vectors. It helps organizations focus on the most relevant TTPs and prioritize activities based on risk assessment. Regardless of your definition of threat hunting, an enterprise needs to have the right components in place for it to be possible. <ol> <li>Identify the right people with the proper knowledge. Hunting is a resource-intensive process. Larger organizations may have a dedicated hunt team. The team executing the hunt should have an intimate understanding of the network configuration, the endpoint/SIEM/XDR tool interfaces, the user access policy, and, perhaps more than anything, a deep knowledge of the prevailing operating systems in use. Most organizations do not have the resources for a dedicated hunt team, so your threat hunters will most likely be wearing multiple hats. Analysts who know the native processes installed on an organization’s “gold image” endpoint deployment are good places to start.</li> <li>Dedicate time for the team to hunt. As mentioned before, this process is human-driven and will never get any results if there isn’t any time dedicated to it. Set aside daily or weekly hunt hours on your skilled hunters’ calendars.</li> <li>Know your critical assets. Sometimes it’s surprising to hear that the security teams of large organizations don’t know where the “crown jewels” are located, but it’s not uncommon. If your team doesn’t have this mapped out, take the time to identify the MAC addresses, hostnames, etc., of the machines that hold the employee, customer, web application, and intellectual property data. This means Threat Hunters can easily key in hunting against assets as part of their schedule.</li> <li>Invest in the right tools - The team needs a beach that holds hidden treasures for the metal detector to have a purpose. Without proper implementation of SIEM, XDR, Endpoint, and Threat Intelligence, they can’t find any treasure in an empty room.</li> <li>Invest in third‌-party intelligence – Know the threats specific to your vertical and your brand by investing in threat intel and threat intelligence management solutions to collect/curate/integrate large datasets of threat intelligence, like Anomali ThreatStream.</li> <li>Collect internal intelligence - Document all information and artifacts collected from successful hunts so that you don’t have to hunt the same thing twice from proper implementation of defensive measures, or at the very least, make it a lot easier to identify and remediate the second time around.</li> <li>Know your vulnerability landscape - Know what CVEs are currently unpatched in your network; know their associated severity level; understand what is actively being exploited by the actors that target you so that the Hunt team has yet another logical launching point. The “knowing” part can come from manual analyst research or third-party solutions like vulnerability scanners and threat intel companies.</li> <li>Have a clear plan before beginning. Don’t get caught up with trying to block/quarantine or set up correlation on each suspicious entity as you find them; develop a clear hypothesis of what could happen, and tailor your hunting activities to confirm that hypothesis.</li> </ol> Every organization must dedicate skills, tools, and time to the hunting process to become proactive and be considered an end-to-end security organization. While each organization’s approach may be slightly (or widely) different from others, that doesn’t mean it’s “wrong.” Adopt a process that works best for you to ensure a successful threat-hunting program.